Minutes of the RTFM Working Group, Munich, Thursday 14 August 97 Reported by Greg Ruth and Stephen Stibler The WG's new charter (which has been approved by IESG) was reviewed; it is very much the same as the old one, but with a much stronger emphasis on security. A new goal of the WG is to share our experience with traffic measurement and accounting with other groups. Nevil Brownlee reported on the current state of NeTraMet. A new release has been available in beta since May 97. It implements all the features of our current MIB draft, and NeMaC (NeTraMet's manager) provides much better checking for invalid rule sets. The PC version of the meter uses 32-bit addressing, greatly increasing the number of flows it can handle. Nevil is working on a NeTraMet front-end for Cisco NetFlow data. Sig Handelman reported briefly on the state of the IBM Meter implementation. Since last IETF they have implemented the current MIB and are testing several new attributes. There were three short presentations of work in traffic flow measurement: * Siegfried Loeffler described "Fluid," a Java version of Nifty (an X-windows analysis program distributed with NeTraMet). This uses Java SNMP classes from Advent Networks, together with their Secure Applet Server (which runs on the Web server and serves as a proxy to allow other hosts to do SNMP interactions with an SNMP agent, in this case a NeTraMet meter). Fluid displays the current traffic on the network in real time inside a Web Browser. It reads about 300 flow records in 10 seconds, which is fast enough for it to be a useful tool for overseeing a network. Siegfried would like to see other people continue this work. A URL for Fluid is http://www. mathematik.uni-stuttgart.de/~floeff/diplom/ietfslides/index.htm * Nevil presented a set of slides from Massimiliano Cansona at Cefriel in Italy. These describe work done by Matteo Snidero on measuring RSVP-controlled flows. He has produced a program which uses RSVP request packets to build up a matrix of information about RSVP sessions. Whenever this table changes the program writes a NeTraMet rule set which is downloaded to a NeTraMet meter. The meter has been extended with two new attributes - IsRSVP and FlowTokenBucketRate. These are set by the rules for flows with RSVP reservations, and collected by a meter reader along with the measured packet and byte counts. This allows an analysis application to see how actual usage compares with the RSVP request. This work is being continued at Cefriel; their URL is http://www.cefriel.it/ntw. * Sig presented a set of slides from John Stewart and John Robinson in Ottawa. They have produced MultiMON, an IP multicast monitor, and have released version 1.1 to the community for testing. MultiMON allows one to see (on a pie chart) what types of multicast traffic are running. It allows one to join and monitor multicast conferences, and will produce plots indicating how RTCP streams are performing. This work is continuing; we hope it will prove useful to RTFM as we strive to produce extended attributes for multicast. MultiMON's URL is http://www.merci.crc.doc.ca/mbone/MultiMON. The current Meter MIB draft contains the corrections discussed in Memphis. A final version (with minor editorial changes) will be published shortly. This will go to WG last call, before being submitted to IESG for publication as a Proposed Standard RFC. To complement the new Meter MIB we need to revise the Architecture RFC. Nevil summarised the changes needed, and pointed out that - apart from a proper 'Security Considerations' section - only very small changes are needed. After further discussion, the WG agreed that the editors will produce a list of proposed changes for discussion on the mailing list, then publish a new 'Architecture' Draft. This will be followed by a WG last call, leading to submission as a Proposed Standard. The latest 'New Attributes' draft was discussed; this has been extended to include a method of implementing 'distribution-valued' attributes, proposes ten such attributes, i.e. To/From Packet Size, InterArrival Time, Turnaround Time, Byte- and Packet-Rate. Nevil gave a brief presentation on implementation experience with these. The numbering of attributes was discussed; we propose to reserve 1..63 for 'Basic Meter' attributes, 65..127 for 'Extended' attributes, and 129..255 for 'Experimental' (user-defined) attributes. It was pointed out that it should be possible to determine which attributes are implemented on a meter. Attributes derived from TCP headers were discussed; we need a small group of TCP wizards to consider this and send a proposal to the mailing list. Security-related attributes were discussed. It would be useful to count the number of different values appearing in RTFM attributes (e.g. destination port numbers for specified source/destination peer address pairs); this will be investigated. The WG's Goals and Milestones were reviewed, but do not need changing at this time.